OpenWrt (modification):
Patch the default configuration file with the tiny memory
configuration example from Unbound documentation. This is the best
starting point for embedded routers if one is not going to use UCI.
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -19,6 +19,76 @@ server:
 	# verbosity number, 0 is least verbose. 1 is default.
 	# verbosity: 1
 
+	############################################################################
+	# MEMORY CONTROL EXAMPLE
+	# In the example config settings below memory usage is reduced. Some ser-
+	# vice levels are lower, notable very large data and a high TCP load are
+	# no longer supported ... are exceptional for the DNS.
+	# (http://unbound.net/documentation/unbound.conf.html)
+	############################################################################
+
+	# Self jail Unbound with user "unbound" to /var/lib/unbound
+	# The script /etc/init.d/unbound will setup the location
+	username: "unbound"
+	directory: "/var/lib/unbound"
+	chroot: "/var/lib/unbound"
+
+	# The pid file is created before privleges drop so no concern
+	pidfile: "/var/run/unbound.pid"
+
+	# no threads and no memory slabs for threads
+	num-threads: 1
+	msg-cache-slabs: 1
+	rrset-cache-slabs: 1
+	infra-cache-slabs: 1
+	key-cache-slabs: 1
+
+	# don't be picky about interfaces but consider your firewall
+	interface: 0.0.0.0
+	interface: ::0
+	access-control: 0.0.0.0/0 allow
+	access-control: ::0/0 allow
+
+	# this limits TCP service but uses less buffers
+	outgoing-num-tcp: 1
+	incoming-num-tcp: 1
+
+	# use somewhat higher port numbers versus possible NAT issue
+	outgoing-port-permit: "10240-65335"
+
+	# uses less memory but less performance
+	outgoing-range: 60
+	num-queries-per-thread: 30
+
+	# exclude large responses
+	msg-buffer-size: 8192
+
+	# tiny memory cache
+	infra-cache-numhosts: 200
+	msg-cache-size: 100k
+	rrset-cache-size: 100k
+	key-cache-size: 100k
+	neg-cache-size: 10k
+
+	# gentle on recursion
+	target-fetch-policy: "2 1 0 0 0 0"
+	harden-large-queries: yes
+	harden-short-bufsize: yes
+
+	# DNSSEC enable by removing comments on "module-config:" and "auto-trust-
+	# -anchor-file:" The init script will copy root key to /var/lib/unbound.
+	# See package documentation for crontab entry to copy RFC5011 results back.
+	#module-config: "validator iterator"
+	#auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+	# DNSSEC needs real time to validate signatures. If your device does not
+	# have power off clock (reboot), then you may need this work around.
+	#domain-insecure: "pool.ntp.org"
+
+	############################################################################
+	# Resume Stock example.conf.in
+	############################################################################
+
 	# print statistics to the log (for every thread) every N seconds.
 	# Set to "" or 0 to disable. Default is disabled.
 	# statistics-interval: 0
